Group signature system and method providing controllable linkability

ABSTRACT

A group signature system includes: a key issuer server for generating a first parameter of a group public key, generating a corresponding master issuing key, and issuing a signature key to a user when a user device joins; an opener server for generating a second parameter of the group public key, and a corresponding master opening key and master linking key; and a linker server for checking whether two valid signatures have been linked by using the master linking key when the two signatures corresponding to a group public key are given. The group signature system further includes: a signature verifying unit for confirming a validity of the given signatures and a signer information confirming unit for confirming a validity of singer confirming information generated by the opener server.

CROSS-REFERENCE(S) TO RELATED APPLICATION

The present invention claims priority of Korean Patent Application No. 10-2010-0096561, filed on Oct. 4, 2010, which is incorporated herein by reference.

FIELD OF THE INVENTION

The present invention relates to an cryptographic group signature scheme, and more particularly, to a group signature system and method which provide anonymity and linkability controllable in various levels, whereby a signature generated by an authorized user of a group superficially verifies that a user among group members has simply generated a signature with respect to a message, and when a particular opening key is given, the signer can be checked and when a particular linking key is given, the fact that signature values are linked (namely, they have been generated by a signing key) can be checked.

BACKGROUND OF THE INVENTION

In general, a group signature scheme, which is one of very important cryptographic authentication schemes for protecting user's privacy, has been widely studied. The group signature scheme, concept of which was first proposed by Chaum and Heyst in 1991, has since greatly developed, and numerous substantial schemes thereof, as well as formal models with respect to security requirements, have been also proposed.

In addition, an effective anonymity authentication scheme, which may replace an ID/password authentication scheme and a real name-based PKI authentication scheme involving many problems such as an exposure of personal information, a service provider's excessive collecting of personal information, and a leakage caused by a management carelessness in the process of registering and confirming personal information, and the like, and an i-Pin scheme involving a problem of extensive behavior tracking, has been actively studied in recent years.

However, the traditional group signature scheme simply handles anonymity with a dichotomous structure of concealing and recovering a signer's ID and thus is not sufficient to be adopted in an actual application environment. The reason is because the side that uses services prefers the merits of perfect anonymity but the side that provides services cannot easily achieve its original purpose obtained from providing the services only with anonymity.

For example, in a web-based anonymity authentication service, various personalized services as well as good quality services cannot be provided. Also, in case of data mining, it would be difficult useful information obtained from anonymity authentication data.

Therefore, in order to solve such problems, a development of a group signature scheme or the like, which may be able to control various anonymity levels in a practical point of view and excellent in terms of performance, is urgently required.

In addition, in order to design and develop the effective group signature schemes providing the above-mentioned anonymity characteristics, an existing linear encryption (LE) scheme of a bilinear group is not sufficient, and a novel cryptographic scheme which is structurally flexible and able to efficiently encrypt multiple pairs of messages needs to be also developed together.

Meanwhile, various group signature schemes have been suggested to provide anonymity authentication so far; however, they adopt a simple structure in which anonymity is processed such that a signer's ID is concealed in a generated signature and when a master opening key is given, the signer's ID is recovered. Such method is not sufficient to be utilized in an actual application environment. A problem arises in that, although the side that uses services prefers the merits of anonymity, the side that provides services cannot easily achieve a useful purpose for providing the services only with anonymity.

For example, when a web-based anonymity authentication service is considered, a service provider requires user information (e.g., a user's consumption pattern) in the form of anonymity, and if this is not supported, various personalized services and good quality services in association therewith cannot be provided. Also, in case of data mining, it would be difficult to obtain useful information from anonymity authentication data depending on a developer-desired method.

SUMMARY OF THE INVENTION

Therefore, the present invention provides a novel type group-based anonymity signature scheme required for diversifying the level of anonymity by overcoming limited controlling of anonymity of an existing group signature scheme. More specifically, the present invention provides a group signature system and method which divide the concept of anonymity into various levels by employing a controllable linkability and provides a corresponding control method. Namely, only when a particular key is given, connection information between signer IDs or signature values is confirmed and thus anonymity can be controlled.

The present invention is further provides a linear combination encryption (LCE) scheme and a hybrid linear combination encryption (HLCE) scheme obtained by extending the LCE scheme. These schemes may be essentially used to design a group signature scheme and may be also significantly used to independently design a different cryptographic scheme. These cryptographic schemes may stably and efficiently encrypt multiple messages in an algebraic group in which a decisional Diffie-Hellman (DH) problem is easy, for example, in bilinear group defined for bilinear pairings.

In accordance with an aspect the present invention, there is a group signature system including: a key issuer server for generating a first parameter of a group public key, generating a corresponding master issuing key, and issuing a signature key to a user when a user device joins;

an opener server for generating a second parameter of the group public key, and a corresponding master opening key and master linking key; and a linker server for checking whether two valid signatures have been linked by using the master linking key when the two signatures corresponding to a group public key are given.

In accordance with another aspect of the present invention, there is provided a group signature method including: generating, by a key issuer server, a first parameter of a group public key, and generating a corresponding master issuing key; issuing a signature key to a user device when the user device joins; generating, by an opener server, a second parameter of the group public key, and a corresponding master opening key and master linking key; and checking, by a linker server, whether two valid signatures have been linked by using the master linking key when the two signatures are given.

In accordance with still another aspect of the present invention, there is provided a method for generating a group public key: generating, by a key issuer server, a first parameter of a group public key and defining a corresponding master issuing key; defining, by an opener server, a master opening key and a master linking key, generating a second parameter of the group public key, and providing the generated second parameter to the key issuer server; and combining, by the key issuer server, the first and second parameters to generate the group public key.

In accordance with still another aspect of the present invention, there is provided a method for updating a group public key including: releasing, by a key issuer server, a revocation list for updating keys when a session is changed; generating, by the key issuer server, a new group public key and providing the new group public key to a user device; updating, by the user device, the group public key with the new group public key; and updating, by the user device, a signature key corresponding to the new group public key.

In accordance with still another aspect of the present invention, there is provided a method for generating a signature key including: receiving, at a key issuer server, a subscription request message from a user device; verifying, by the key issuer server, a validity of the subscription request message; receiving a signature with respect to the verified subscription request message from the user device; verifying, by the key issuer server, a validity of the signature to register the user device; and generating, by the user device, a secrete signature key corresponding to a group public key.

In accordance with still another aspect of the present invention, there is provided: a method for encrypting a message including: defining, by an opener server or a recipient, a public key, and storing a secret key corresponding thereto; outputting, by a message sender or a user device, a cryptogram regarding its message by using the public key; and calculating, by the opener server or the recipient, the cryptogram by using the secret key to recover the original message.

BRIEF DESCRIPTION OF THE DRAWINGS

The objects and features of the present invention will become apparent from the following description of embodiments, given in conjunction with the accompanying drawings, in which:

FIG. 1 is a view illustrating a group signature system providing a controllable linkability in accordance with an embodiment of the present invention;

FIG. 2 is a flowchart illustrating the process of generating a group public key, a master issuing key, a master opening key, and a master linking key of a group signature system in accordance with the embodiment of the present invention;

FIG. 3 is a flowchart illustrating the process of generating a signature key between a key issuer server and a user device in accordance with the embodiment of the present invention;

FIG. 4 is a flowchart illustrating the process of generating a group signature by an authorized user device with respect to a given message in accordance with the embodiment of the present invention;

FIG. 5 is a flowchart illustrating the process of verifying, by a signature verifying unit, a group signature with respect to a message generated by the authorized user device in accordance with the embodiment of the present invention;

FIG. 6 is a flowchart illustrating the process of generating proof information regarding a group signature with respect to a message generated by the authorized user device and verifying the validity of the proof information in accordance with the embodiment of the present invention;

FIG. 7 is a flowchart illustrating the process of confirming whether signature values have been linked by using a master linking key with respect to two group signatures generated by the authorized user device in accordance with the embodiment of the present invention;

FIG. 8 is a flowchart illustrating the process of releasing relevant information and updating a group public key by a key issuer server and updating, by the authorized user device, its signature key, when a key revocation occurs in accordance with the embodiment of the present invention;

FIG. 9 is a flowchart describing a linear combination encryption (LCE) scheme in accordance with the embodiment of the present invention; and

FIG. 10 is a flowchart describing a hybrid LCE (HLCE) scheme in accordance with the embodiment of the present invention.

DETAILED DESCRIPTION OF THE EMBODIMENTS

Hereinafter, the embodiments of the present invention will be described with reference to the accompanying drawings which form a part hereof.

FIG. 1 is a view illustrating a group signature system providing a controllable linkability in accordance with an embodiment of the present invention.

Referring to FIG. 1, the components that participate in the scheme in accordance with the present invention roughly include a key issuer server 100, an opener server 200, a linker server 300, a user device 400, a signature verifying unit 500, and a signer information confirming unit 600. Here, the servers 100 to 300 may be understood as a concept of an algorithm that outputs a particular value with respect to a given input value. The configuration of the participants is not limited herein but the roles of participants may be flexibly separated or integrated (e.g., integrating the key issuer server 100 and opener server 200 or integrating the opener server 200 and the linker server 300) based on a definition of a new object depending on a design method, and a new participant may be defined to interwork with a known real name authentication scheme, if necessary.

The key issuer server 100, which is a reliable object, initially generates first group public parameters (gpp1), and generates a corresponding master issuing key (mik). When a new user device is joined, the key issuer server 100 run an interactive protocol and issues a signature key to the user device.

When a key revocation occurs, the key issuer server 100 releases information regarding a revocation list, and, when participants require, the key issuer server 100 updates key values.

The opener server 200 initially generates second group public parameters (gpp2) and corresponding master opening key (mok) and master linking key (mlk). The master linking key is provided to the linker server 300. When a valid signature is given, the opener server 200 outputs proof information for confirming a signer by using a master opening key. Anyone can check the output proof information freely.

The linker server 300 initially receives the master linking key (mlk) from the opener server 200. When two valid signatures are given, the linker server 300 may check whether they are linked (namely, whether the two signatures have been generated by a single signer) by using the master linking key.

The user device 400 may join as a member of an authorized group and receive a signature key issued by the key issuer server 100.

In this case, the user device 400 and the key issuer server 100 run the interactive protocol. Thereafter, the user device 400 generates a group signature with respect to a given message by using the issued signature key. When a key revocation takes place, the user device 400 updates the key values by using revocation information provided from the key issuer server 100. The signature verifying unit 500 is an algorithm that confirms the validity of the given signature. The signer information confirming unit 600 is an algorithm that verifies the validity of signer conformation information generated by the opener server 200.

The key issuer server 100 defines a group public key (gpk) by combining the generated first parameter gpp1 and second parameter gpp2, and releases the defined group public key to every participating component within the group signature system. Namely, gpk={gpp1,gpp2}. Afterwards, whenever a key revocation occurs, gpk is updated.

FIG. 2 is a flowchart illustrating the process of generating an initial group public key including the group public parameters gpp1 and gpp2, and their corresponding master issuing key, master opening key and master linking key by the key issuer server 100 and the opener server 200 in accordance with an embodiment of the present invention.

Now, the embodiment of the present invention will be described in detail with reference to FIG. 2.

Upon receiving a security parameter k as an input at an early stage, the key issuer server 100 performs the following. First, the key issuer server 100 generates a pair of bilinear groups (G₁,G₂) and a bilinear map combined with the bilinear groups e: G₁×G₂→G_(T) and a hash function H: {0,1}→Z_(p)*. The key issuer server 100 selects certain elements h₁εG₂ and g₁, g₂, g₃, gεG₁. Also, the key issuer server 100 selects θεZ_(p)*, calculates h_(θ)=h₁ ^(θ), and then defines θ as a master issuing key (mik=θ) in step S200.

Also, the opener server 200 selects θ₁, θ₂, ξ₁, ξ₂εZ_(p)* and calculates u=h₁ ^(ξ) ¹ and v=h₁ ^(ξ) ² . In addition, the opener server 200 selects a certain element u, vεG₁, and calculates w₁=u^(η) ¹ , w₂=v^(η) ² , d₁=u^(ξ) ¹ , and d₂=v^(ξ) ² . Here, (η₁, η₂, ξ₁, ξ₂) is defined as a master opening key (mok=(η₁, η₂, ξ₁, ξ₂)) and (U,V) is defined as a master linking key (mlk=(U,V)). And, the opener server 200 transmits the second parameter gpp2=(u, v, w₁, w₂, d₁, d₂) to the key issuer server 100 in step S202.

The key issuer server 100 combines gpp2=(u, v, w₁, w₂, d₁, d₂) received from the opener server 200 with its own gpp1=(e, G₁, G₂, g₁, g₂, g₃, g, h₁, h_(θ), H) to create an initial group public key gpk=(e, G₁, G₂, g₁, g₂, g₃, g, h₁, h_(θ), H, u, v, w₁, w₂, d₁, d₂) and allows the initial group public key to be used freely in step S204. The initial public key is updated whenever a key revocation occurs. For the sake of convenience, it is assumed that the initial group public key is denoted as gpk₀, and parameters in the group public key managed by the key issuer server 100 and the opener server 200 can be verified by using a freely authenticated method.

FIG. 3 is a flowchart illustrating the process of generating a signature key between the key issuer server 100 and the user device 400 in accordance with an embodiment of the present invention.

Now, the embodiment of the present invention will be described in detail with reference to FIG. 3.

First, the user device 400, which wants to join a group newly, and the key issuer server 100 interactively perform the following process. In this case, it is assumed that an authentication and security channel have been already established between the two participants. In the following description, Ext-Commit denotes an extractable commitment scheme providing perfect binding and computationally hiding. When trapdoor information is given, a committed value can be recovered. NIZKEqDL(a,b,c) denotes a non-interactive zero-knowledge proof scheme verifying that a value committed to ‘a’ and log_(c)b are identical.

In addition, NIZKEqDL(B,D) denotes a non-interactive zero-knowledge proof scheme verifying knowledge about log_(D)B.

It is assumed that an initial group public key gpk₀=(e, g₁, g₂, g₃, T) and a current group public key gpk_(k)=(e, {tilde over (g)}₁, {tilde over (g)}₂, {tilde over (g)}₃, T) are given (where T=(e, h₁, h_(θ), u, v, w₁, w₂, d₁, d₂, H)). Hereinafter, the user device 400 uses a general signature scheme (which is available for PKI-based form) Σ=(KGen, Sign, Vrfy). In the following description, it is assumed that each user device 400 generates a pair of a public key and a secret key for using the signature scheme Σ=(KGen, Sign, Vrfy) in advance.

(1) The user device 400 selects a certain random number Z₁εz_(p)* and calculates upk[i]=Z_(i)=g₃ ^(z) ^(i) . Also, the user device 400 generates T_(U)(C_(U)=Ext−Commit(Z_(i)), NIZKEqDL (C_(U),Z_(i),g₃)), and then transmits a subscription request message (Join, ID_(i), (upk[i]=Z_(i),T_(U))) to the key issuer server 100 in step S300. Here, (upk[i]=Z_(i),T_(U)) serves as a proof of possession (POP) of a private key.

(2) The key issuer server 100 receives the subscription request message (Join, ID_(i), (upk[i]=Z_(i),T_(U))) and then verifies the validity of (upk[i]=Z_(i),T_(U)) according to a predetermined method. When (upk[i]=Z_(i),T_(U)) is valid, the key issuer server 100 checks whether (ID_(i), H(g^(y) ^(i) ), y_(i), . . . , Y_(1,i)=g₂ ^(y) ^(i) , Y_(2,i)=h₁ ^(y) ^(i) , X_(1,i)=g^(x) ^(i) , X_(2,i)=h₁ ^(x) ^(i) , . . . ) is in a user registration list REG. If so, the key issuer server 100 selects x_(i)εZ_(p)* and calculates A_(i)=(g₁g₂ ^(−y) ^(i) Z_(i) ⁻¹)^(1/(θ+x) ^(i) ⁾εG₁. However, if not, the key issuer server 100 selects x₁, y_(i)εZ_(p)* and calculates A_(i)=(g₁g₂ ^(−y) ^(i) Z_(i) ⁻¹)^(1/(θ+x) ^(i) ⁾εG₁. In addition, the key issuer server 100 calculates Y_(1,i)=g₂ ^(y) ^(i) , Y_(2,i)=h₁ ^(y) ^(i) , X_(1,i)=g^(x) ^(i) , X_(2,i)=h₁ ^(x) ^(i) , B=e(g₁g₂ ^(−y)Z_(i) ⁻¹, h₁)/e(A_(i), h_(θ)), and D=e(A_(i), h₁), and generates T_(I)=NIZKPoKDL (Y_(1,i),g2) and V_(I)=NIZKPoKDL(B,D). The key issuer server 100 transmits (A_(i), T_(I), V_(I), Y_(1,i)=g₂ ^(y) ^(i) , Y_(2,i)=h₁ ^(y) ^(i) , X_(1,i)=g^(X) ^(i) , X_(2,i)=h₁ ^(x) ^(i) ) to the user device 400 in step S302.

(3) The user device 400 receives (A_(i), T_(I), V_(I), Y_(1,i)=g₂ ^(y) ^(i) , X_(2,i)=h₁ ^(x) ^(i) ), calculates B=e(g₁g₂ ^(−y) ^(i) Z_(i) ⁻¹, h₁)/e(A_(i), h_(θ)) and D=e(A_(i), h₁), and checks whether T_(I) and V_(I) are valid. Also, the user device 400 checks whether an equation e(A_(i), X_(2,i)h_(θ))=e(g₁Y_(1,i)g₃ ^(−Z) ^(i) , h₁) is established. When all the verifications are successful, the user device 400 generates a signature σ_(2,i)←Signski(Ai, upk[i]=Z_(i), Y_(1,i)−g₂ ^(y) ^(i) , X_(2,i)=h₁ ^(y) ^(i) ) and transmits σ_(2,i) to the key issuer server 100 in step S304.

(4) The key issuer server 100 receives the signature σ_(2,i) and then verifies validity of that signature. When the signature is valid, the key issuer server 100 transmits information regarding portion of secret key (x_(i), y_(i)) to the user device 400 in step S306.

(5) The user device 400 receives, (x_(i), y_(i)), and then calculates Ã″=(g₁″g₂″^(−y)g₃″^(−z))^(1/(θ+x)) corresponding to the current group public key by using a user key updating algorithm. And then, it is checked whether the following equation holds: e(A _(i) ,h ₁ ^(x) ^(i) h _(θ))=e(g ₁ g ₂ ^(−y) ^(i) g ₃ ^(−z) ^(i) ,h ₁) and e(A _(i) ,{tilde over (h)} ₁)=e(Ã _(i) ,h ₁).

When the equation holds, the user device 400 stably stores usk[i]=(Ã₁, x_(i), y_(i), z_(i), A_(i)) as a secret signature key corresponding to the current group public key in step S308. Finally, when e(X_(1,i), h₁)=e(g, X_(2,i)) and e(Y_(1,i), h₁)=e(g₂, Y_(2,i)) are held, the user device 400 generates a signature σ_(judge,i)←Sign_(sk) _(i) (A_(i), upk[i]=Z_(i), Y_(1,i)=g₂ ^(y) ^(i) , Y_(2,i)=h₁ ^(y) ^(i) , X_(1,i)=g^(x) ^(i) , X_(2,i)=h₁ ^(x) ^(i) ) with respect to a message (A_(i), upk[i]=Z_(i), Y_(1,i)=g₂ ^(y) ^(i) , Y_(2,i)=h₁ ^(y) ^(i) , X_(1,i)=g^(x) ^(i) , X_(2,i)=h₁ ^(x) ^(i) ) and transmits σ_(judge,i) to the key issuer server 100 in step S310.

(6) The key issuer server 100 receives the signature σ_(judge,i) then verifies validity of that signature. When the signature is valid, the key issuer server 100 adds (ID_(i), H(g^(y) ^(i) ), y_(i), A_(i), upk[i]=Z_(i), y_(1,i)=g₂ ^(y) ^(i) , Y_(2,i)=h₁ ^(y) ^(i) , X_(1,i)=g^(x) ^(i) , X_(2,i)=h₁ ^(x) ^(i) , and σ_(judge,i)) to the user registration list REG in step S312.

In the above description, the structure, in which when the master linking key mlk is given, linkability can be checked regardless of the membership of the user device 400, is provided. This structure may be modified such that linkability is provided only while the user device 400 is joined and maintained as an authorized member, and in this case, the key issuer server 100 may select y_(i)εZ_(p)* as a new value whenever a user joins in the above process (2).

FIG. 4 is a flowchart illustrating the process of generating a group signature by the authorized user device 400 with respect to a given message in accordance with an embodiment of the present invention.

First, when a message M is received, the user device 400 receives a given current group public key gpk, a corresponding user secret signature key usk[i]=(Ã, x, y, z, A), and the message M as inputs in step S400. Next, the user device 400 generates a signature σ with respect to the inputs as follows in step S402. Namely, the user device 400 first selects a random number α, β←Z_(p), and calculates: D ₁ ←u ^(α) ,D ₂ ←v ^(β) ,D ₃ ←Ãw ₁ ^(α) w ₂ ^(β) ,D ₄ ←g ^(y) d ₁ ^(α) d ₂ ^(β), and γ←xαmod p,δ←xβmod p.

Further, the user device 400 selects certain random numbers r_(α), r_(β), r_(γ), r_(δ), r_(x), r_(y), r_(z)←Z_(p) and calculates: R ₁ ←u ^(r) ^(α) ,R ₂ ←v ^(r) ^(β) ,R ₃ ←e(D ₃ ,h ₁)^(r) ^(x) e(w ₁ ,h _(θ))^(−r) ^(α) e(w ₂ ,h _(θ))^(−r) ^(β) e(w ₂ ,h ₁)^(−r) ^(γ) e(w ₂ ,h ₁)^(−r) ^(δ) e(g ₂ ,h ₁)^(r) ^(y) e(g ₃ ,h ₁)^(r) ^(z) ,R ₄ ←g ^(r) ^(y) d ₁ ^(r) ^(α) d ₂ ^(r) ^(β) ,R ₅ ←D ₁ ^(r) ^(x) u ^(−r) ^(γ) ,R ₆ ←D ^(r) ^(x) u ^(−r) ^(δ) .

In addition, the user device 400 calculates: c=H(M,D ₁ ,D ₂ ,D ₃ ,D ₄ ,R ₁ ,R ₂ ,R ₃ ,R ₄ ,R ₅ ,R ₆) by using a hash function, and also calculates: s _(α) =r _(α) +cα,s _(β) =r _(β) +cβ,s _(γ) =r _(γ) +cγ,s _(δ) =r _(δ) +cδ,s _(x) =r _(x) +cx,s _(y) =r _(y) +cy,s _(z) =r _(z) +cz.

Finally, the user device 400 outputs σ=(D₁, D₂, D₃, D₄, c, s_(α), s_(β), s_(γ), s_(δ), s_(x), s_(y), s_(z)) as a signature in step S404.

In the above description, a linear encryption scheme, instead of a linear combination encryption scheme, may be used for D₃←Ãw₁ ^(α)w₂ ^(β) or D₄←g^(y)d₁ ^(α)d₂ ^(β). For example, D₄←g^(y)d^(α+β) instead of D₄←g^(y)d₁ ^(α)d₂ ^(β) is calculated. In this case, the generation of the relevant group public key, the generation of the proof information for the signer, the algorithm for confirming the signer proof information, and the method for checking linkability information may be appropriately corrected for consistency as necessary. The correction may be obviously made to those skilled in the art, so a description thereof will be omitted.

FIG. 5 is a flowchart illustrating the process of verifying, by the signature verifying algorithm 500, a group signature with respect to message generated by the authorized user device 400 in accordance with an embodiment of the present invention.

It is assumed that a signature σ=(D₂, D₃, D₄, c, s_(α), s_(β), s_(γ), s_(δ), s_(x), s_(y), s_(Z)) is given for a message M in step S500. Then, the signature verifying unit 500 calculates: R ₁ ←u ^(s) ^(α) D ₁ −c,R ₂ ←v ^(s) ^(β) D ₂ ^(−c) ,R ₃ ←e(D ₃ ,h ₁)^(s) ^(x) e(w ₁ ^(−s) ^(α) w ₂ ^(−s) ^(β) ₁ ,h _(θ))e(w ₁ ^(−s) ^(γ) w ₂ ^(−s) ^(δ) ₂ ,h ₁)e(g ₂ ,h ₁)^(s) ^(y) e(g ₃ ,h ₁)^(s) ^(z) (e(D ₃ h _(θ))/e(g ₁ ,h ₁))^(c) ,R ₄ ←g ^(s) ^(y) d ₁ ^(s) ^(α) d ₂ ^(s) ^(β) D ₄ ^(−c) ,R ₅ ←D ₁ ^(s) ^(x) u ^(−s) ^(γ) , and R ₆ ←D ₂ ^(s) ^(x) v ^(−s) ^(δ) in step S502.

And then, the signature verifying unit 500 calculates a hash function value c′=H(M, D₁, D₂, D₃, D₄, R₁, R₂, R₃, R₄, R₅, R₆), and then checks whether C and C′ are identical. When they are identical, the signature verifying unit 500 outputs 1 indicating that the given signature is valid, and if not, it outputs 0 in step S504.

FIG. 6 is a flowchart illustrating the process of generating proof information confirming who the signer is by using a master opening key for a group signature with respect to a message generated by the authorized user device 400 and verifying the validity of the proof information by using the signer information confirming unit 600 in accordance with an embodiment of the present invention.

It is assumed that a signature σ=(D₁, D₂, D₃, D₄, c, s_(α), s_(β), s_(γ), s_(δ), s_(x), s_(y), s_(z)) with respect to a message M is given in step S600. The opener server 200 generates proof information τ by using the master opening key mok=(η₁, η₂, ξ₁, ξ₂) as follows. The opener server 200 calculates H(g^(y)) and Ã through g^(y)←D₄(D₁ ^(ξ) ¹ D₂ ^(ξ) ² )⁻¹ and Ã←D₃(D₁ ^(η) ¹ D₂ ^(η) ² )⁻¹ in step S602.

Subsequently, the opener server 200 efficiently searches the user registration list REG for a user index i satisfying H(g^(y))=H(g^(y) ^(i) ) and information upk[i]=Z_(i)=g₃ ^(z) ^(i) , Y_(1,i)=g₂ ^(y) ^(i) , Y_(2,i)=h₁ ^(y) ^(i) , X_(1,i)=g^(x) ^(i) , X_(2,i)=h₁ ^(x) ^(i) corresponding to the user index by using H(g^(y)) in step S604. Herein, upk[i]=Z_(i)=g₃ ^(z) ^(i) is information registered by the signer with its public key when it joined. The opener server 200 selects a certain random number r₁, r₂←Z_(P) and calculates K₁₂=D₁ ^(η) ¹ D₂ ^(η) ² , W₁=u^(r) ¹ , W₂=v^(r) ² , W₁₂=D₁ ^(r) ¹ D₂ ^(r) ² , c₁₂=H(σ, u, v, K₁₂, W₁, W₂, W₁₂), and s₁=r₁+c₁₂η₁, s₂=r₂+c₁₂η₂ (mod p). And then, the opener server 200 outputs (i, τ=(K₁₂, c₁₂, s₁, s₂) upk[i]=Z_(i)=g₃ ^(Z) ^(i) , Y_(1,i)=g₂ ^(y) ^(i) , Y_(2,i)=h₁ ^(y) ^(i) , X_(1,i)=g^(x) ^(i) , X_(2,i)=h₁ ^(x) ^(i) , σ_(judge,i)) as signer proof information with respect to the given signature and message in step S606. Here, σ_(judge,i) is a general signature (generated by using the signature scheme Σ by the signer i) verifying that the signer i knows about the exponent values x_(i), y_(i), z_(i).

The signer information confirming unit 600 checks whether the following equation holds with respect to the signature σ=(D₁, D₂, D₃, D₄, c, s_(α), s_(β), s_(γ), s_(δ), s_(x), s_(y), s_(z)) for the given message M and the signer proof information (i, τ=(K₁₂, c₁₂, s₁, s₂), upk[i]=Z_(i)=g₃ ^(Z) ¹ , Y_(1,i)=g₂ ^(y) ^(i) , Y_(2,i)=h₁ ^(y) ^(i) , X_(1,i)=g^(x) ^(i) , X_(2,i)=h₁ ^(x) ^(i) , σ_(judge,i)).

(1) First, the signer information confirming unit 600 calculates: c′12=H(σ,u,v,K ₁₂ ,u ^(s) ¹ w ₁ ^(−c) ¹² ,v ^(s) ² w ₂ ^(−c) ¹² D ₁ ^(s) ¹ D ₂ ^(s) ² K ₁₂ ^(−c) ¹² ) and checks whether c′₁₂=c₁₂ holds.

(2) The signer information confirming unit 600 checks whether e(D₃K₁₂ ⁻¹, X_(2,i)h_(θ))=e(g₁Y_(1,i) ⁻¹Z_(1,i) ⁻¹{tilde over (h)}₁) holds. Here, {tilde over (h)}₁ is a value included in the current group public key, and g₁ is a value included in the initial group public key gpk₀. When the above equalities are all hold, the signer information confirming unit 600 outputs 1 indicating that they are valid, or otherwise, the signer information confirming unit 600 outputs 0 in step S608.

FIG. 7 is a flowchart illustrating the process of confirming whether signature values have been linked by using a master linking key with respect to two group signatures generated by the authorized user device 400 in accordance with an embodiment of the present invention.

When pairs of given messages and signatures (σ, M) and (σ′, M′) are received in step S700, the linker server 300 calculates B₁=e(D₄, h₁) [e(D₁, U)e(D₂, V)]⁻¹ and B₂=e(D′₄, h₁) [e(D′₁, U)e(D′₂, V)]⁻¹ by using the master linking key mlk=(U,V), and then checks whether B₁=B₂ HOLDS in step S702. When the equation is established, the linker server 300 outputs 1 indicating that they are linked, or otherwise, the linker server 300 outputs 0 in step S704.

Selectively, it can be checked whether an equation e(D₄/D′₄, h₁)=e(D₁/D′₁, U) e(D₂/D′₂, V) is established in order to increase the efficiency of calculation.

FIG. 8 is a flowchart illustrating the process of releasing relevant information and updating a group public key by the key issuer server 100, and updating, by the authorized user device 400, its signature key, when a key revocation occurs, in accordance with an embodiment of the present invention.

It is assumed that the sets of keys are revoked at every session and a session is denoted by using an index variable k in order to distinguish each session. It is also assumed that k is increased by 1 at a time when a session is changed. It is also assumed that an initial group public key gpk₀=(T, g₁, g₂, g₃) and a current group public key gpk_(k-1)=(T, g′₁, g′₂, g′₃) are given (where T=(e, G₁, G₂, g, h₁, h_(θ), H, u, v, w₁, w₂, d₁, d₂)).

In order to revoke given key values and update keys, first, the key issuer server 100 releases a revocation list RI={(T_(1,i)=g₁ ^(1/(θ+x) ^(k,i) ⁾, T_(2,i)=g₂ ^(1/(θ+x) ^(k,1) ⁾, T_(3,i)=g₃ ^(1/(θ+x) ^(k,i) ⁾, x_(k,i))|i=1, . . . , r_(k)} in step S800.

(1) In order to update the group public key from gpk_(k-1) to gpk_(k), the key issuer server 100 calculates

${g_{1}^{''} = {g_{1}^{\prime}\overset{r_{k}}{\coprod\limits_{i = 1}}T_{1,i}}},{g_{2}^{''} = {g_{2}^{\prime}\overset{r_{k}}{\coprod\limits_{i = 1}}T_{2,i}}},{{{and}\mspace{14mu} g_{3}^{''}} = {g_{3}^{\prime}\overset{r_{k}}{\coprod\limits_{i = 1}}{T_{3,i}.}}}$ The updated group public key is gpk_(k)=(T, g″₁, g″₂, g″₃), as in step S802.

(2) In order to update its signature key from uSk_(k-1)[i]=(A′, x, y, z, A) to uSk_(k)=[i], the user device 400 calculates:

$A^{''} = {{A^{\prime}\overset{r_{k}}{\coprod\limits_{i = 1}}\left\lbrack \left( {T_{1,i}T_{2,i}^{- y}T_{3,i}^{- z}A^{- 1}} \right) \right\rbrack^{1/{({x - x_{k,i}})}}} = {\left( {g_{1}^{''}g_{2}^{'' - y}g_{3}^{'' - z}} \right)^{1/{({\theta + x})}}.}}$ An updated signature key corresponding to the current group public key gpk_(k)=(T, g″₁, g″₂, g″₃) is set to be uSk_(k)[i]=(Ã″, x, y, z, A) in step S804.

FIG. 9 is a flowchart describing the linear combination encryption (LCE) scheme in accordance with the embodiment of the present invention.

A key generation algorithm, an encryption algorithm and a decryption algorithm are defined as follows:

(1) The key generation algorithm: A first user generates an algebraic group G₁ as a prime order p, and a certain generation source u,v of G₁. And then, x and y are selected from a set Z_(P)*, and w₁=u^(x) and w₂=u^(y) are calculated. Here, G₁ is expressed as a multiplicative group. The user defines a public key as (G₁, u, v, w₁, w₂) and releases it, and stably stores the corresponding secret key (x,y) in step S900;

(2) Encryption algorithm: When a message MεG₁ is given and a public key (G₁, u, v, w₁, w₂) and the corresponding secret key (x,y), a and b are selected from the set Z_(p)*, c₁=u^(a), c₂=v^(b), and D₁=Mw₁ ^(a)w₂ ^(b) are calculated, and then a ciphertext (C₁, C₂, D₁) is output in step S902; and

(3) Decryption algorithm: In order to decrypt the given ciphertext (C₁, C₂, D₁), M=D₁C₁ ^(−x)C₂ ^(−y) is calculated by using the secret key (x,y) to recover the message in step S904.

FIG. 10 is a flowchart describing the hybrid LCE (HLCE) scheme obtained by effectively extending the LCE scheme in order to encrypt a tuple of n messages (M₁, . . . , M_(n)) for M_(i)εG₁ in accordance with an embodiment of the present invention. This will be now described in detail.

A key generation algorithm, an encryption algorithm, and a decryption algorithm are defined as follows:

(1) Key generation algorithm: A first user generates an algebraic group G₁ as a prime order p, and a certain generation source u,v of G₁. And then, x and y are selected from a set Z_(P)*, and W_(2i-1=u) _(x) _(i) and W_(2i-1=v) _(y) _(i) are calculated with respect to i=1, . . . , n. Here, it is expressed as a multiplicative group. A public key is defined as (G₁, u, v, w₁, w₂, . . . , w_(2n-1), w_(2n)) and releases it, and stably stores a corresponding secret key (x₁, y₁, . . . , x_(n), y_(n)) in step S950;

(2) Encryption algorithm: When a tuple of n messages (M₁, . . . , M_(n)) for M_(i)εG₁ is given, a and b are randomly selected from the set Z_(P)*, c₁=u^(a), c₂=v^(b), and D₁=Mw₁ ^(a)w₂ ^(b), . . . , D_(j)=M_(j)w_(2j-1) ^(a)w_(j) ^(b), . . . , D_(n)=M_(n)w_(2n-1) ^(a)w_(n) ^(b) are calculated, and then a ciphertext (C₁, C₂, D₁, . . . , D_(n)) is output in step S952; and

(3) Decryption algorithm: In order to decrypt the given ciphertext (C₁, C₂, D₁, . . . , D_(n)), M_(j)=D_(j)C₁ ^(−x) ^(j) C₂ ^(−y) ^(j) is calculated by using the secret key (x₁, y₁, . . . , x_(n), y_(n)) to recover the message in step S954.

As described above, the present invention provides a method which is capable of protecting user privacy by using a group signature scheme that can control anonymity, including a controllable linkability, in various levels.

In accordance with the present invention, anonymity can be combined with various conditions and policies through a provided controllable linkability so as to be segmented.

Basically, a configuration scheme provides all the functions of the existing known group signature scheme and security characteristics. Namely, it is not possible to simply check a signer or linkability information from a given signature value. However, when particular keys are given, namely, when a particular opening key is given, a signer can be checked, and also, when a particular linking key is given, signature values of a signer can be checked to be linked to each other (namely, they have been generated by one signer or a signer key).

In addition, the present invention provides a method for stably encrypting and decrypting a message in an algebraic group in which a decisional Diffie-Hellman (DH) problem is easy. Moreover, the present invention can be applicable to various next-generation IT application fields such as an anonymity-based web service, a medical information protection, a cloud computing authentication, and the like, as well as to application fields in which the existing group signature schemes, such as an anonymity authentication (VSC) for a traffic network, a future Internet anonymity packet authentication, and the like, are available.

Although the present invention has been described with respect to the particular embodiments, various changes or modifications may be made without departing the scope of the present invention. That is, although the present invention has been described with respect to a group signature scheme providing a controllable linkability, a linear combination encryption scheme and a hybrid linear combination encryption with reference to the illustrated drawings, it will be understood by those skilled in the art that various changes and modification may be made.

While the invention has been shown and described with respect to the particular embodiments, it will be understood by those skilled in the art that various changes and modification may be made without departing from the scope of the invention as defined in the following claims. 

What is claimed is:
 1. A group signature system comprising: a key issuer server; an opener server; a linker server; a signature verifying unit; and a user device, wherein the key issuer server includes a processor; and a non-transitory computer readable medium with computer executable instructions stored thereon which, when executed by the processor, perform a method comprising: generating a first parameter of a group public key, generating a corresponding master issuing key, generating a group public key using the first parameter of a group public key and a second parameter of a group public key received from the opener server, verifying a validity of a subscription request message received from the user device requesting a membership in the group signature system, and storing a secret signature key corresponding to the user device membership in the group signature system, wherein the opener server includes a processor; and a non-transitory computer readable medium with computer executable instructions stored thereon which, when executed by the processor, perform a method comprising: generating the second parameter of a group public key, transmitting the second parameter of a group public key to the key issuer server, defining a master opening key, and defining a master linking key, wherein the master linking key is a secret key, wherein the user device includes a processor; and a non-transitory computer readable medium with computer executable instructions stored thereon which, when executed by the processor, perform a method comprising: receiving a message, receiving the group public key, receiving a secret signature key corresponding to the group public key, generating for the message a group signature corresponding to the group public key, selecting a random number Z_(i)εz_(p)*, calculating upk[1]=Z_(i)=g₃ ^(Zi), generating T_(U) (C_(U)=Ext-Commit(Z_(i)), NIZKEqDL (C_(U),Z_(i),g₃)), wherein Ext-Commit is an extractable commitment scheme providing perfect binding and computational hiding, and NIZKEqDL( ) is a non-interactive zero-knowledge proof scheme, and transmitting the subscription request message (Join, Id_(i), (upk[i]=Z_(i), T_(U))), wherein the subscription request message includes upk[i]=Z_(i), T_(U) as a proof of possession of a personal key, wherein the signature verifying unit is configured to includes a processor; and a non-transitory computer readable medium with computer executable instructions stored thereon which, when executed by the processor, perform a method comprising: receiving the message and the group signature corresponding to the group public key, and checking whether the group signature received from the user device is valid, and wherein the linker server includes a processor; and a non-transitory computer readable medium with computer executable instructions stored thereon which, when executed by the processor, perform a method comprising: receiving the master linking key from the opener server, receiving from the user device at least two pairs of a message and a group signature as input values, and determining whether said pairs are linked using the master linking key when each of the group signatures correspond to the group public key.
 2. The system of claim 1, further comprising: a signer information confirming unit including a processor; and a non-transitory computer readable medium with computer executable instructions stored thereon which, when executed by the processor, perform a method comprising: outputting a user device verification information for the message and corresponding group signature provided by the user device using a proof information generated by the opener server.
 3. The system of claim 2, wherein the computer executable instructions stored on the opener server, when executed by the processor, further performs receiving the message and corresponding group signature from the user device, generating the proof information using the master opening key, and providing the proof information to the signer information confirming unit.
 4. The system of claim 1, wherein the computer executable instructions stored on the key issuer server, when executed by the processor, further performs updating the group public key when a key revocation occurs upon change of a session.
 5. The system of claim 1, wherein the computer executable instructions stored on the key issuer server, when executed by the processor, further performs defining the master issuing key by using a pair of bilinear groups and a bilinear map coupled with the pair of bilinear groups.
 6. The system of claim 1, wherein a security channel for authentication is established between the user device and the key issuer server.
 7. The system of claim 1, wherein the computer executable instructions stored on the key issuer server, when executed by the processor further performs generating a pair of bilinear groups (G₁, G₂), generating a bilinear map combined with the pair of bilinear groups e:G ₁ ×G ₂ →G _(T), providing a hash function H:{0,1}→Z _(P)*, and selecting elements h ₁ εG ₂, g ₁ ,g ₂ ,g ₃ ,gεG ₁, and θεZ _(P), wherein the first parameter of the group public key is generated as gpp1=(e,G ₁ ,G ₂ ,g _(i) ,g ₂ ,g ₃ ,g,h ₁ ,h _(θ) ,H).
 8. The system of claim 7, wherein the computer executable instructions stored on the key issuer server, when executed by the further performs calculating h_(θ)=h₁ ^(θ), wherein the master issuing key is generated as mik=θ.
 9. A group signature method comprising: generating, by a key issuer server, a first parameter of a group public key; generating, by the key issuer server, a corresponding master issuing key; generating, by the key issuer server, a group public key using the first parameter of a group public key and a second parameter of a group public key received from an opener server; issuing, by the key issuer server, a signature key to a user device when the user device joins; verifying, by the key issuer server, a validity of a subscription request message received from the user device requesting a membership in the group signature system; storing, by the key issuer server, a secret signature key corresponding to the user device membership in the group signature system; generating, by the opener server, a second parameter of the group public key; transmitting, by the opener server, the second parameter of a group public key to the key issuer server, defining, by the opener server, a master opening key, defining, by the opener server, a master linking key, wherein the master linking key is a secret key, receiving, by a user device, a message; receiving, by the user device, the group public key; receiving, by the user device, a secret signature key corresponding to the group public key; generating, by the user device, for the message a group signature corresponding to the group public key, selecting, by the user device, a random number Z_(i)εz_(P)*; calculating, by the user device, upk[1]=Z_(i)=g₃ ^(Zi); generating, by the user device, T_(U) (C_(U)=Ext-Commit(Z_(i)), NIZKEqDL (C_(U), Z_(i), g₃)), wherein Ext-Commit is an extractable commitment scheme providing perfect binding and computational hiding, and NIZKEqDL( ) is a non-interactive zero-knowledge proof scheme; transmitting, by the user device, the subscription request message (Join, Id_(i), (upk[i]=Z_(i),T_(U))), wherein the subscription request message includes upk[i]=Z_(i), T_(U) as a proof of possession of a personal key; receiving, by a signature verifying unit, the message and the group signature corresponding to the group public key: checking, by a signature verifying unit, whether the group signature received from the user device is valid; receiving, by a linker server, the master linking key from the opener server; receiving, by a linker server, from the user device at least two pairs of a message and a group signature as input values; and receiving, by a linker server, whether said pairs are linked using the master linking key when each of the group signatures correspond to the group public key.
 10. The method of claim 9, further comprising releasing, by the key issuer server, a revocation list for updating keys when a session is changed; generating, by the key issuer server, a new group public key and providing the new group public key to a user device; updating, by the user device, the group public key with the new group public key; and updating, by the user device, a signature key corresponding to the new group public key.
 11. The method of claim 9, further comprising outputting, by a signer information confirming unit, a user device verification information for the message and corresponding group signature provided by the user device using a proof information generated by the opener server.
 12. The method of claim 11, further comprising receiving, by the opener server, the message and corresponding group signature from the user device; generating, by the opener server, the proof information using the master opening key; and providing, by the opener server, the proof information to the signer information confirming unit.
 13. The method of claim 9, further comprising updating, by the key issuer server, the group public key when a key revocation occurs upon change of a session.
 14. The method of claim 9, wherein the key issuer server defines the master issuing key by using a pair of bilinear groups and a bilinear map coupled with the pair of bilinear groups.
 15. The method of claim 9, wherein a security channel for authentication is established between the user device and the key issuer server.
 16. The method of claim 9, further comprising generating, by the key issuer server, a pair of bilinear groups (G₁, G₂); generating, by the key issuer server, a bilinear map combined with the pair of bilinear groups e:G ₁ ×G ₂ →G _(T); providing, by the key issuer server, a hash function H:{0,1}→Z _(P)*; and selecting, by the key issuer server, elements h ₁ εG ₂, g ₁ ,g ₂ ,g ₃ ,gεG ₁, and θεZ _(P), wherein the first parameter of the group public key is generated as gpp1=(e,G ₁ ,G ₂ ,g ₁ ,g ₂ ,g ₃ ,g,h ₁ ,h _(θ) ,H).
 17. The method of claim 16, further comprising calculating, by the key issuer server, h _(θ) =h ₁ ^(θ), wherein the master issuing key is generated as mik=θ. 